MYSAPSSO2 cookie format in J2ee and ABAP - NW7

Similar Messages

• Compatability of J2EE and ABAP Editions

  Are these two sneak preview editions (Java Edition and ABAP Edition) compatable such that they both can be installed on the same XP system?
  Presumably the Full edition which is not yet released will provide for a proper J2EE add-in installation.
  But in the meantime, should it be OK to install the J2EE ABAP installations separately on the same system?
  If yes, if there any special approach to the instance numbering that must be followed?
  Thanks!

  Thanks for those hints.   I have installed the ABAP version (SID = NSP).   After that the J2EE installation (J2E) is smart enough to figure out that instance 00 is already taken and uses 02 (without any input from the installer).
  But ... unfortunately ... Load Java Database Content step just hangs.  The last message in the log is an INFO message (see below).   It seems like a lot of people have reported problems like this one. 
  So close!
  INFO 2005-11-09 12:34:39
  Output of C:\Program Files\JavaSoft\1.4.2_09/bin/java.exe '-classpath' './sharedlib/antlr.jar;./sharedlib/exception.jar;./sharedlib/jddi.jar;./sharedlib/jload.jar;./sharedlib/logging.jar;./sharedlib/offlineconfiguration.jar;./sharedlib/opensqlsta.jar;./sharedlib/tc_sec_secstorefs.jar;c:\sapdb\programs\runtime\jar\sapdbc.jar;C:/usr/sap/J2E/SYS/global/security/lib/tools/iaik_jce_export.jar;C:/usr/sap/J2E/SYS/global/security/lib/tools/iaik_jsse.jar;C:/usr/sap/J2E/SYS/global/security/lib/tools/iaik_smime.jar;C:/usr/sap/J2E/SYS/global/security/lib/tools/iaik_ssl.jar;C:/usr/sap/J2E/SYS/global/security/lib/tools/w3c_http.jar' '-Duser.timezone=Europe/Berlin' '-showversion' '-Xmx512m' 'com.sap.inst.jload.Jload' '-sec' 'J2E,jdbc/pool/J2E,C:\usr\sap\J2E\SYS\global/security/data/SecStore.properties,C:\usr\sap\J2E\SYS\global/security/data/SecStore.key' '-dataDir' 'C:/WAS/NW04SneakPrevJavaSP11/NWSneakPreviewSP11/SAP_NetWeaver_04_SR_1_Installation_Master_DVD__ID__51030843\IM01_NT_I386\..\..\SneakPreviewContent\JDMP' '-job' 'C:\Program Files\sapinst_instdir\NW04SR1\WEBAS_COPY\ONE_HOST/IMPORT.XML' '-log' 'C:\Program Files\sapinst_instdir\NW04SR1\WEBAS_COPY\ONE_HOST/jload.log' is written to the logfile C:\Program Files\sapinst_instdir\NW04SR1\WEBAS_COPY\ONE_HOST/jload.java.log.

• HA Solution with J2EE and ABAP Stack

  In the Planning Guide is written that if DB2 data sharing is used, each application server connects to only one database server at any one time. There is a mechanism called sysplex failover that automatically redirects an application server to another database server in case of a failure. Sysplex failover is currently not available for a SAP J2EE system.
  Let’s assume that DB2 Member A fails. The ABAP Stack A is doing automatically a reconnect to DB2 Member B. The J2EE Stack A isn't able to do this. So what happens now with the new incoming http requests over the WebDispatcher/ICM? The J2EE Server on A is basically running still well, because only DB2 member A is down.
  a) Does the MSG server realize that DB2 Member A is no longer available and informs therefore the WebDispatcher that incoming requests should be send to J2EE Server on machine B?
  b) Doesn't the MSG server realize this situation and therefore the WebDispatcher will furthermore load balance the requests between J2EE server A and J2EE server B?
  Thanks for your help and clarification?
  Roger

  Sorry, I haven't had time to answer your questions and unfortunately won't have in the forseeable future.
  I'm using read only, so I do not know about RW, except that AD requires SSL and probably some settings on the AD server as well as the account you are connecting with.
  BTW. The answer to the original question is that it is not possible to mix ssl and non-ssl connections to LDAP
  Regards
  Dagfinn
  Message was edited by: Dagfinn Parnas

• URLs Prefixes Customized on Both J2EE and ABAP Side

  In the Diagnostic Support tool I am getting the subject error message and the following check error:
  The URL for ABAP customizing table RSPOR_T_PORTAL: https://mycompany.com:1443 is not compatible with the URL for ABAP-based BI URL generation for BEx Web Applications 3.x (function module RSBB_URL_PREFIX_GET): http://mycompany.com:8104
  I have no idea where the function module RSBB_URL_PREFIX_GET is getting that port of 8104. Any ideas where I can check?
  Mike

  I think from the profile parameter : icm/host_name_full.
  in your instsance profile enter :
  icm/host_name_full = hostname.domaine.
  look also at the 2 parameters :
  icm/server_port_0
  ms/server_port_0
  may be the ms/server_port_0 is equal to 81$$.
  instance id is it 04 ?
  these parameters should (if i remember well) define the URL you are using. make changes and let me know if it works.
  Regards.

• Calling an Abap Web Service from IBM WebSphere with a MYSAPSSO2 Cookie

  Hello,
  I have the following problem :
  I have to develop a proof of concept between IBM Web Sphere 5.1 and SAP AS JAVA 7.0.
  I have created an IBM sevlet in Web Sphere, I use a specific redirect from an SAP AS Java to call it, this way I can have a SAP Logon Ticket, and I manage to call an ABAP module function with JCO with SSO.
  Scenario 1 : browser  + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap module function (ECC5)
  This scenario works fine.
  I have to do the same scenario with a Web Service and I don't know what to do.
  I try to use jax-rpc handlers but I don't know how to pass my cookie from my servlet to my handler.
  Scenario 2 : browser + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap Web Service (ECC5)
  Has someone already done that  ?
  Regards,  Julien.

  Julien,
  Why are you using 5.1....go for 6.0 and its cake walk, i have integrated WebSphere 6.0 with R/3 uysing xi.....in a week.
  Scenario changed to:--
  Browser+ authentication --> WebSphere AS servlet request --> XI --> RFC/bapi --> abap webService
  Hope that helps
  Regards
  Ravi

• SRM and MYSAPSSO2 cookie

  Hello,
  we are using SRM 4.0 (standalone scenario) with integrated ITS 6.40. The SRM application is accessed directly through browser (without any SAP portal encapsulation). We would like to customize the lifetime of cookie MYSAPSSO2 which is set after user authentication. I have noticed that this cookie is still located at browser level as long as this browser is open : there is no time validity for this cookie. As user's session, at application server level, is submited to timeout, we would like to be able to set such timeout for MYSAPSSO2 cookie too.
  Do you know a way to achieve this ?
  Thank you for your help.
  Regards.
  Fabrice

  Hi Fabrice.
  I am using Single Sign On for SRM Add on ERP without portal.
  I have set up the following tickets with value 1 but after 8 hours this tickets resets to 0 and have to put value as 1 again via RZ11 so that user can sign on properly in SRM as SSO.
  login/create_sso2_ticket and login/accept_sso2_ticket
  In our system, the default value for login/ticket_expiration_time is 8 hrs.
  Please advise what i shoud do so that the single sign on works properly and the value of parameters does reset to 0.
  Thanks,
  Sagar

• Issue while parsing the MYSAPSSO2 Cookie

  Hi All,
  We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
  Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
  Following Libraries are used:
  logging.jar
  i18n_cp.jar
  iaik_jce.jar
  com.sap.security.api.jar
  com.sap.security.core.jar
  rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
  Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
  The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
  Following is the code which we are using.
  //Instantiate the rpovider
  IAIK provider = new IAIK();
  Security.addProvider(provider);
  //Instantiate the ticket
  tv  =   new com.sap.security.core.ticket.imp.Ticket();
  //set teh certificates
  tv.setCertificates(certificates);
  //set the MYSAPSSO2 cookie
  tv.setTicket(strCookie);
  if (!tv.isValid()){
       System.out.println("Ticket is not valid");
  //Verify the ticket
  tv.verify();
  isValid method is working fine - it is returning true or false exactly based on the validity.
  ISSUE:
  tv.verify();--->Raises the following exception:
  java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
  When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
  but the portal is providing the serial number in hexadecimal format.
  So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
  The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
  Could anyone help resolve this issue?
  Thanks in advance.

  Hi,
  im facing the exact same problem, and I think I found the reason for the behavior described above.
  The Problem seems to be located at
  [http://help.sap.com/javadocs/NW73/SPS01/CE/se/com.sap.se/com/sap/security/api/ticket/TicketVerifier.html#verify()]
  from com.sap.security.api.jar, just like mentioned.
  But the Problem seems to be the issuer, not the serial number.
  When decompiling  com.sap.security.api.jar with JD-GUI ([http://java.decompiler.free.fr/?q=jdgui]),
  you can see the following:
       public static java.security.cert.X509Certificate[] findCertificates(
                 java.security.cert.X509Certificate[] certificates, String issuer, BigInteger serial) {
            if ((certificates == null) || (certificates.length == 0)) {
                 return null;
            ArrayList certificateList = new ArrayList();
            for (int i = 0; i < certificates.length; i++) {
                 java.security.cert.X509Certificate certificate = certificates<i>;
                 if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
                      certificateList.add(certificate);
            if (certificateList.size() == 0) {
                 return null;
            java.security.cert.X509Certificate[] matchedCertificates = new java.security.cert.X509Certificate[certificateList
                      .size()];
            certificateList.toArray(matchedCertificates);
            return matchedCertificates;
  As you can see, the issuer-parameter is beeing compared with the issuer from the certificate. And here comes the weird stuff: While the  issuer-parameter contains an issuer like
  "OU=J2EE,CN=EXAMPLE"
  the issuer retrieved from the certificate is
  "OU=J2EE, CN=EXAMPLE"
  (see toString() of the java.security.cert.X509Certificate)
  You see the missing whitespace after the comma? This is the reason why the if-condition fails and you get something like
  java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=EXAMPLE", S/N=1234) not found.
  A workaround (a really UGLY one, I admit), is the following:
  1. Open  com.sap.security.api.jar with a ZIP-tool and delete
  /com/sap/security/api/ticket/TicketVerifier.class
  2. Copy the decompilied Version of TicketVerifier to Java-Class /com/sap/security/api/ticket/TicketVerifier.java
  3. Change
  for (int i = 0; i < certificates.length; i++) {
       java.security.cert.X509Certificate certificate = certificates<i>;
       if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
            certificateList.add(certificate);
  to
  for (int i = 0; i < certificates.length; i++) {
       X509Certificate certificate = certificates<i>;
       String dnNameFromCert = certificate.getIssuerDN().getName().replaceAll(", ", ",");
       BigInteger serialNumberFromCert = certificate.getSerialNumber();
       if ((dnNameFromCert.equals(issuer)) && (serialNumberFromCert.equals(serial))) {
            certificateList.add(certificate);
  4. Package this class into a jar and make it available in your classpath.
  5. Enjoy
  To me, this is a huge bug in the SAP-Library and has to be fixed.
  Regards
  Matthias
  Edited by: Matthias82 on Sep 29, 2011 12:47 PM

• Issue in parsing MYSAPSSO2 Cookie -Certificate Serial no is in Hexadecimal

  Hi All,
  We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
  Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
  Following Libraries are used:
  logging.jar
  i18n_cp.jar
  iaik_jce.jar
  com.sap.security.api.jar
  com.sap.security.core.jar
  rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
  Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
  The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
  Following is the code which we are using.
  //Instantiate the rpovider
  IAIK provider = new IAIK();
  Security.addProvider(provider);
  //Instantiate the ticket
  tv = new com.sap.security.core.ticket.imp.Ticket();
  //set teh certificates
  tv.setCertificates(certificates);
  //set the MYSAPSSO2 cookie
  tv.setTicket(strCookie);
  if (!tv.isValid()){
  System.out.println("Ticket is not valid");
  //Verify the ticket
  tv.verify();
  isValid method is working fine - it is returning true or false exactly based on the validity.
  ISSUE:
  tv.verify();--->Raises the following exception:
  java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
  When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
  but the portal is providing the serial number in hexadecimal format.
  So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
  If I print the certificates available in the keystore it is printing that certificate with serial number in hexadecimal format. if I convert that hexadecimal to decimal - I get the same number which is part of the error message raised by the code.
  The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
  Could anyone help resolve this issue?
  Thanks in advance.

  Any advice please?
  Do I need to post it in a different forum?

• MYSAPSSO2 Cookie not found in IE

  Hi Everyone,
  I am trying to implement SSO between a third party Java application and the SAP EP 7.0. As a test procedure, I log in to my portal and then run my code to see if I can retrieve and decrypt the MYSAPSSO2 cookie.
  My code works perfectly when I log in to the portal using Mozilla Firefox (2.0.0.1); I can see the MYSAPSSO2 cookie and decrypt it (Log file output below). However, when I use IE (6.0.3790.1830) to log in to the portal, I can not retrieve the MYSAPSSO2 cookie. It seems as if this cookie does not even exists. I am thinking the cookie is somehow hidden and therefore my code can't see it.
  Has anyone faced this issue before? I have tried to decrease the security settings on IE but that doesn't help things. Any help on this issue would be really appreciated!
  Pasted below is a snippet of my code.
  //request is a HttpServletRequest object
  Cookie[] allCookies = request.getCookies();
                      int allCookiesLength = allCookies.length;
                      for (int i = 0 ; i<allCookiesLength; i++)
                           Log.debug("Cookie Name at " + i + " = " + allCookies<i>.getName());
                           if(allCookies<i>.getName().compareToIgnoreCase("MYSAPSSO2")==0)
                                SAP_SSO_COOKIE =  allCookies<i>;
                                                  Log.debug("Cookie Found!");
                                cookieFound = true;
                                break;
                                          Log.debug("Cookie NOT Found!");
                           cookieFound = false;
  <u><b>Log file Output with IE</b></u>
  2007.02.07 13:05:31 Cookie Name at 1 = saplb_*
  2007.02.07 13:05:31 Cookie Name at 2 = JSESSIONID
  2007.02.07 13:05:31 Cookie NOT Found!
  <u><b>Log file Output with Firefox</b></u>
  2007.02.07 13:54:15 Cookie Name at 0 = saplb_*
  2007.02.07 13:54:15 Cookie Name at 1 = PortalAlias
  2007.02.07 13:54:15 Cookie Name at 2 = JSESSIONID
  2007.02.07 13:54:15 Cookie Name at 3 = MYSAPSSO2
  2007.02.07 13:54:15 Cookie Found!
  Thanks
  MOY

  Michael,
  I changed the parameter "httponlycookie" to FALSE and this works. My issue was that when I set the parameter to FALSE, I restarted my J2EE engine. For some odd reason, after the restart this parameter was set back to TRUE. Whats even worse, or maybe even cool, depends how you look at it, is that this parameter is set back to TRUE even if I closed down Visual Admin and fire it up again (without restarting the server). However, in this case SSO still works because the J2EE settings are not updated with this TRUE value. Is there a security setting which sets back this parameter to TRUE every time the server is restarted or when Visual Admin is fired up?
  Thanks
  MOY

• MYSAPSSO2 cookie - difference user versus portaluser

  Hi all,
  I recognized that the MYSAPSSO2 cookie contains 2 fields for a user id.
  1) the user
  2) the portalUser
  does anybody the difference / use cases for those fields
  any help is appreciated
  regards Karin

  Hi Paul,
  thanks for your answer.
  We use a abap mandant as user store for sap ep.
  if the user is stored in the abap mandant (which is almost for all users the case,
  except of some special users)
  portaluser and user field are used.
  if the user is just stored in the local user database of the portal (this is only for some admin users the case) then the user field is empty, only the portaluser field is used.
  If I would like to use the MYSAPSSO2 cookie to propagate the user to NON
  SAP systems. According to your answer, it would make sense, to use the user field (and not the portaluser field).
  Regards
  Karin

• Decrypt MYSAPSSO2 cookie.

  Hi friends,
  I have written a custom java application running on a "non sap j2ee server". In that application, i want to accept and decrypt MYSAPSSO2 cookie and get the userid. Is this possible? I did not find any relevant documents for this. Could anyone provide the same?
  Regards,
  Nilz

  Hi Nilz,
  Is your problem solved, even I need the solution for the same. I need to decrypt MYSAPSSO2 cookie to get user id from it. I need some java code for it.
  I tried to open service.sap.com/swdc, but it asks user id and password to connect to it ...what to do
  regards,
  bhawna

• Using XSLT to link XML and ABAP data

  Hi Experts,
  I am using XSLT to deal with XML and ABAP data.
  I using the following statement to convert a Internal Table to XML String:
  CALL TRANSFORMATION id SOURCE  root = lt_sflight RESULT XML l_xml_string.
  And I get the XML String:
  <?xml version="1.0" encoding="utf-16" ?>
  <asx:abap xmlns:asx="http://www.sap.com/abapxml" version="1.0">
  <asx:values>
  <ROOT>
  <SFLIGHT>
  </SFLIGHT>
  <SFLIGHT>
  </SFLIGHT>
  </ROOT>
  </asx:values>
  </asx:abap>
  But What I expected is:
  <?xml version="1.0" encoding="utf-16" ?>
  <asx:abap xmlns:asx="http://www.sap.com/abapxml" version="1.0">
  <asx:values>
  <ROOT>
  <DATA>
  </DATA>
  <DATA>
  </DATA>
  </ROOT>
  </asx:values>
  </asx:abap>
  Could you tell me how to get my dream format using XSLT?
  Best Regards,
  Guo Guo Qing
  Edited by: guoqing guo on Jun 11, 2008 9:58 AM

  Hi Experts,
  I am using XSLT to deal with XML and ABAP data.
  I using the following statement to convert a Internal Table to XML String:
  CALL TRANSFORMATION id SOURCE  root = lt_sflight RESULT XML l_xml_string.
  And I get the XML String:
  <?xml version="1.0" encoding="utf-16" ?>
  <asx:abap xmlns:asx="http://www.sap.com/abapxml" version="1.0">
  <asx:values>
  <ROOT>
  <SFLIGHT>
  </SFLIGHT>
  <SFLIGHT>
  </SFLIGHT>
  </ROOT>
  </asx:values>
  </asx:abap>
  But What I expected is:
  <?xml version="1.0" encoding="utf-16" ?>
  <asx:abap xmlns:asx="http://www.sap.com/abapxml" version="1.0">
  <asx:values>
  <ROOT>
  <DATA>
  </DATA>
  <DATA>
  </DATA>
  </ROOT>
  </asx:values>
  </asx:abap>
  Could you tell me how to get my dream format using XSLT?
  Best Regards,
  Guo Guo Qing
  Edited by: guoqing guo on Jun 11, 2008 9:58 AM

• How is the interface between the Java Stack and ABAP stack is achieved?

  How is the interface between the Java Stack and ABAP stack is achieved?..Please send me the answer to [email protected]

  Hi,
  By interface, I assume you mean the connection between the ABAP and the Java stacks in a double stack system.
  The connection from Java to ABAP is through JCo connections defined in the WebDynpro section of the J2EE start page. So Java to ABAP requests are processed through JCo.
  The connection from ABAP to Java is through RFC connections defined in TA SM59. The ABAP to Java requests are processed through RFC.
  Refer https://dsd.esco-salt.com/StartPage/documents/integration/3.html for detailed explanation.
  The UME can be maintained in either ABAP or in JAVA depending on the persistence.
  Refer: http://help.sap.com/saphelp_nw70/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm
  Check UME data source configuration.
  Some quick FAQs can be found at:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ad47eb90-0201-0010-7cb2-ddfa5ed879ec
  Hope this helps.
  Best Regards,
  Srividya.R

• JAVA Stack and ABAP Stack not in Sync

  Hi,
  when i logged into the MI Server(7.0) gonr thru the following navigation :
  Administration-->Mobile Infrastructure---->Mobile components
  which i click on the search button i am getting the following error
  "JAVA Stack and ABAP Stack not in Sync"
  Already i redeployed the sapjra.rar, still i find the error unchanged.
  Any help on this would be great........
  Thanks,
  vijay.

  Hi
  Refer this link
  Need to Configure MI Server 7.0
  As explained by veeraragavan in this link follow these steps
  Following are in brief the roles required, just forward the same to your BASIS administrator.
  In the ABAP Stack -Under Transaction SU01:
  End User:
  SAP_MI_SERVICE
  Administrator / Critical Developers:
  SAP_J2EE_ADMIN
  SAP_MI_ADMIN
  In the J2EE Stack - Under Identity Management:
  End User:
  No role required. You can give a role for display: SAP_JAVA_NWMOBILE_ADMIN_READONLY
  Administrator / Critical Developers:
  SAP_JAVA_NWMOBILE_ADMIN_SUPER
  regards
  Manohar
  Edited by: Gouri  Manohar Gadhamsetty on Jan 19, 2009 7:17 AM

• Java and ABAP Stack

  Hi All,
  I am still not clear about role/function of java and abap stack in XI.
  Can anybody explain?

  Sireesha,
  Tha ABAP stack consists of the Integration Server which in turn contains your Integration Engine and Business Process Engine.
  The J2EE stack contains the Adapter Engine and your IR and ID run on the J2EE engine.
  Most of  XI pipelines happens in the ABAP stack.
  All messsages picked by the Adapter Framework running on the J2EE engine are passed to the Integration Engine, which does the routing. The mapping program again gets executed on the Java stack and the rest of the pipeline servies are executed again on the ABAP stack and so on.
  please go through links::
  ABAP and JAVA in Netweaver stack
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/media/uuid/4aa47d27-0a01-0010-5db4-bb62dfc8c069?prtmode=navigate